What can be hacked, will be hacked

Posted by: admin
Tags:
Posted date:
July 20, 2012 |
Comment

Across the world, the number of cyber attacks on public and private critical infrastructure – assets that are essential to the functioning of our society – is growing. Little seems safe. Electricity grids, oil and gas plants, water supply systems, financial infrastructure, traffic management – they are all vulnerable. Hollywood fantasy is becoming reality.

Cyberspace is contested every day, every hour, every minute, every second

The year is 1995. In the movie The Net Sandra Bullock plays a reclusive software engineer who stumbles across plans by a secret organisation to dominate the world by breaking into critical computer systems. As she skirmishes with these mysterious Praetorians, she and her pursuers use computers as weapons, hacking into just about anything: power grids, Wall Street computers and airplanes. ‘Impossible’, many technology pundits pointed out at the time. Pure Hollywood fantasy.

These days The Net seems strangely prescient. More and more technology experts are convinced, just about anything can, and therefore will, be hacked including vital infrastructure systems. And those pesky Preatorians? Well, some argue they became reality too. Only they call themselves Anonymous. This group of anarchistic hackers is known for their successful attacks on civic, commercial and government sites to gain notoriety and inflict damage. In February this year, Operation Unmask was launched: an international initiative supported by Interpol which led to the arrests of 25 hackers from countries in Europe and Latin America. The group, aged from 17 to 40, are believed to have links with Anonymous. According to Interpol, the international arrests followed a series of coordinated cyber attacks against the Colombian Ministry of Defence and presidential websites, as well as Chile’s Endesa electricity company and national library. On internet forums and Twittter, Anonymous has vehemently denied it would attack critical infrastructures, calling suggestions like these ‘ridiculous’and ‘fear mongering’.

But the western world is vulnerable to online attacks, that much is clear. Earlier this year, the World Economic Forum listed cyber security as one of the five global risks to watch. In their Global Risks Report 2012, experts considered risks that have ‘severe, unexpected or underappreciated consequences’. The risk to critical systems failure that respondents cited most frequently was cyber attack. In the report, the WEF states: “National critical infrastructures are increasingly connected to the internet, often using bandwidth leased from private companies outside of government protection and oversight.”

How can terrorists and hackers harm or destroy critical infrastructure from the comfort and safety of their own sofas? Well, for one thing, the information is out there. There are many control systems that are accessible directly from the internet or that can be easily located through internet search engine tools and applications. “It is indeed possible to hack into critical infrastructure”, confirms Eric Luiijf, Principal Consultant at TNO, the Netherlands Organization for Applied Scientific Research. He’s been warning about this since 2002: “ICT is everywhere these days; my car has 120 processors on board. And if it can be hacked, it will be hacked, sooner or later. Even if you pay a lot of attention to security.”

Malfunction? Technical glitch?
Media reports abound. In March this year, the US Government Accountability Office (GAO) testified that at least four energy facilities have been hacked in the United States, two of them nuclear plants. As early as 2001 the Californian electricity grid was hacked, causing an outage in parts of the state. Closer to home, there are reports of multiple hackings into the Norwegian electricity grid. NASA admitted last March that hackers had broken into critical systems, including those that control parts of the International Space Station. To top it all, former US ‘cyber security csar’ Richard Clarke testified that the blueprints for the F35 Joint Strike Fighter Jet were copied by Chinese hackers breaking into Lockheed’s intranet, resulting in a serious breach of US national security. But this is just the tip of the iceberg, according to Luiijf. “Many cyber security incidents involving critical infrastructure are not properly identified as such to higher management. Moreover, organisations want to keep quiet about it to the outside. It is simply called a malfunction or a technical glitch.”

The Dutchman thinks that security is still not a primary concern in many organisations. Because of ‘ease of use’ considerations, protection of infrastructure against hackers is often minimal. Take a municipal water supply service that needs to install a new pumping system. “To manage it, they will probably get a remote access industrial control system. You can buy complete systems off-the-shelf at an industrial hardware wholesaler. And if that system has password protection, chances are the people installing it will not use it – to make it easier to access the system in the future.” The result is a weak link in the water supply chain, waiting to be tested by somebody. And it was. Recently hackers in the Netherlands took control of the pumps of a tropical swimming pool.“They were just playing with it, but it could have been a lot worse if they had malicious intentions”, notes Luiijf.

Too easy
After denials from manufacturers that their systems could be remotely controlled, Dutch TV-journalists broke into a pump station in Veere, a small community in Zeeland, warning the local authorities they could turn off the pumps and flood the countryside. In a separate incident they turned off the central heating of the national headquarters of the Salvation Army. The entry to both remote control systems was made possible through the internet and because of a very easy to guess password (‘Veere’). An IT-specialist hired by the journalists said on-camera that within ‘half an hour’ he could teach his mother how to hack into systems like these. “That’s how simple it is.”

Stuxnet
Flashback to Hollywood and John Travolta in Swordfish (2001). In this movie he forces a retired hacker to steal 10 million dollars (an accumulated government slush fund) from a bank. The money is destined for a secret government organisation called Black Cell which kills terrorists who have targeted Americans. Rebels and spies using cyberspace as a battle ground? It seemed farfetched in the year terrorists used real airplanes to launch an attack on the US.
And then nearly a decade later, in 2010, Stuxnet was discovered in a nuclear plant in Iran.

Duqu – the next Stuxnet?

In November 2011 security firm Symantec warned of the emergence of new malware called Duqu which contains code identical to that used in Stuxnet. It also targets Scada Systems used in power, water and sewage plants, oil and gas refining and telecommunications, but its purpose seems to be to gather intelligence for mounting future attacks. Symantec stated that Duqu infections have been confirmed in at least six organizations in eight countries (France, the Netherlands, Switzerland, the Ukraine, India, Iran, Sudan and Vietnam).

Stuxnet is powerful and complex malware – malicious software – that sabotages or spies on the type of computers used in industrial control systems.The worm, which is designed to attack Siemens systems, was discovered in several important SCADA-programs – those that control the operation of valves, pipelines and other industrial equipment – at the Iranian uranium enrichment facility at Natanz. According to the draft report Information and National Security by UK NATO rapporteur Lord Jopling, Stuxnet deploys two extremely complicated programming payloads to bomb the target’s operating system, causing damage to the centrifuges while blinding its systems to the reality of what is happening. Such is the sophistication of the Stuxnet code, analysts believe it was designed by the US and/or Israel or Russia to slow down the development of weapons technology in Iran. Whoever tried to thwart the Iranians, it worked. The centrifuge operational capacity at Natanz dropped by 30 percent after the incident.

Meltdown
Most experts agree that only nation states currently have the resources to sabotage a critical system of that nature but the emergence of Stuxnet suggests what is possible. From the World Economic Forum report: “A virus like Stuxnet could conceivably trigger a meltdown in a functioning nuclear power plant, turn off oil and gas pipelines or change the chemical composition of tap water.”

Stuxnet also showed the potential scale of fights in cyber space, and the gloves, it seems, are off. In the decade since Swordfish, hacking has become part of geo-political armoury, seen as being on par with conventional weapons. The American government has a doctrine that says as much:
‘When warranted, the United States will respond to hostile acts in cyberspace as we would to any other threat to our country. All states possess an inherent right to self-defence, and we recognize that certain hostile acts conducted through cyberspace could compel actions under the commitments we have with our military treaty partners. We reserve the right to use all necessary means—diplomatic, informational, military, and economic—as appropriate and consistent with applicable international law, in order to defend our Nation, our allies, our partners, and our interests.’International Strategy for Cyberspace, The White House, May 2011

The Obama administration is also pushing for a three-year mandatory imprisonment sentence for attacks against critical infrastructure systems.

What is…
Critical infrastructure

Countries differ when describing what exactly constitutes a critical infrastructure, also called vital infrastructure. The most important element is that they are essential to the functioning of society. The EU definition is: The physical and information technology facilities, networks, services and assets that, if disrupted or destroyed, would have a serious impact on the health, safety, security or economic well-being of citizens or the effective functioning of governments.
Think electricity systems, gas and oil plants, water supply (drinking water, sewage), transportation and financial/governmental (IT) services.

SCADA

Supervisory control and data acquisition (SCADA) programs are also called industrial control systems (ICS). These are computer systems that monitor and control processes in industry, infrastructure, or facilities. More and more of them are becoming connected to the internet.

NATO’s new policy
On the military side, NATO – whose own networks are constantly under attack by hacktivists – was early to spot cyber security as a serious issue when it implemented a Cyber Defence Programme in 2002. Last year, NATO defence ministers adopted a new cyber defence policy, focusing on prevention and building resilience. In November 2011, in an opinion piece for The New York Times, NATO’s Supreme Allied Commander Transformation, French General Stéphane Abrial, wrote that cyber attacks are “among the most pressing and potentially dangerous threats to our collective peace and security.”

Abrial: “In discussing a hypothetical major attack, NATO leaders are often asked what circumstances would trigger a response under Article V of the Washington treaty — in other words, when would an attack against one be considered an attack on all? It would not be prudent to try to define exact tripwires in advance, or to tie our hands as to how we would react. But assuredly, the alliance would respond deliberately to any significant attack, adapting its reaction to the extent of the damage, the degree of certainty in attribution, the identity of the attackers and their perceived intentions.”

In the article, the NATO Commander states that civilian authorities in all 28 NATO member nations have the lead responsibility on cyber security. Abrial: “NATO is therefore working in support of whole-of-government approaches to cyber defence — led by civilian agencies in each nation — and with actors outside government. Key among those are commercial suppliers and the wider industrial base, since NATO-wide, 85 percent of critical infrastructure is in private hands.”

Who hacks?
Professor Solange Ghernaouti–Hélie of the Faculty of Business and Economics at Lausanne University (Switzerland) is an international expert in cyber security and cybercrime. She has seen hacking become a weapon but acknowledges there’s no clear profile of those wielding cyber weapons. “There are all kinds of people who hack into critical systems’, says Ghernaouti–Hélie. ‘Think of 16-year-old boys who want to prove that they can. But also criminals who want to blackmail the owners of a system. And lately we see government agencies trying to generate chaos in another country. The internet is very busy with people trying to do harm.”

As said previously, Stuxnet was an unusual development both in the complexity of its code and the nature of its intended target. Sources in The Economist claimed that its designers must not only have had access to the target plant’s blueprints and a detailed knowledge of Siemens’s industrial-production processes and control systems, but also pointed to their use of four previously unknown Windows security-holes – known as zero-day-vulnerabilities – that are so valuable to hackers that they would not generally use so many in a single attack.

Thomas Rid and Peter McBurney of the War Studies Department at Kings College London believe that the more destructive a cyber weapon is, the more expensive and difficult it will be to produce, especially in terms of the intelligence needed about the target. As a consequence, such cyber weapons will be very specific, not easily repurposed, and unlikely to cause collateral damage. In a report on cyber weapons produced earlier this year, they concluded that: “The cost-benefit payoff of weaponised instruments of cyber-conflict may be far more questionable than generally assumed: target configurations are likely to be so specific that a powerful cyber weapon may only be capable of hitting and acting on one single target, or very few targets at best.” While Ghernaouti–Hélie agrees that hackers or terrorists are not yet knowledgeable enough to produce something as destructive as Stuxnet, there is danger in other collaborations: “We see more and more links between radicals and tech-savvy criminals, who do know how to penetrate a critical system. If your goal is to disturb and disrupt, hacking is an excellent way to reach your goal.”

And she believes hacking is developing into a powerful weapon that might force us to rethink current political conflicts. “Take the Israelis and the Palestinians. They hack each other on a daily basis. No amount of security is going to stop some of these hacks to be successful, because both sides are incredibly motivated. If you don’t solve the root of the problem – the conflict between the two states – you are not going to stop the relentless hacking.” Since that might not be on the cards – Israel and the Palestinians have been at each other for decades, for example – governments and companies have no other choice than to invest heavily in cyber security to keep their, and our, critical infrastructure safe.

One of the biggest problems is that security is often just an afterthought

As a result, security is now the single biggest software market. But even the best security is not a cure-all, according to Professor Bernhard Hämmerli, cyber security expert at the Lucerne University of Applied Sciences (Switzerland). Since so much of our society is now online, protecting each and every nook and cranny of our networked lives has become impossible. Hämmerli compares it to guarding an extremely long fence. Unless you have guards at ten meter intervals, somebody can (and therefore will) climb across. “The defender has to defend everything, the hacker can be specific. He can stake out a system for a long time and look for that one weak spot he needs to get in. To make it even more difficult, IT infrastructure is constantly evolving. You have constant updates, maintenance, new applications; each and every change you make to a system could render it more vulnerable to a breach of security.” And then there is the money issue. Hämmerli: “Budgets always have limits; no organisation in the world has the funds to completely seal off a system.”

The World Economic Forum suspects that some security suppliers themselves could be in on the hacking game. In their Global Risks Report, the Forum stresses one of the key challenges in cyber security, that ‘incentives are misaligned’: vendors of online security products have a financial interest in talking up the threats of cyber crime, while the victims often have an interest in remaining silent. It believes correcting such ‘information asymmetries’ should be at the centre of policies to improve global cyber security.

Fire sale
Security professionals turning into hackers brings us to the summer blockbuster of 2007. Die Hard or Live Free stars Bruce Willis as an analogue cop in a digital world. While escorting a young hacker to the FBI, Willis finds himself in the middle of a fire sale, a state of utter chaos caused by the simultaneous hacks of several critical systems including utilities, traffic management and communications. This large scale hack is performed by former US government security adviser Thomas Gabriel, who is proving a point: he warned in vain that such a large scale attack was possible and is now causing mayhem.

The world has yet to witness a real fire sale consisting of simultaneous hacks against critical infrastructure but if past movies about hackers are anything to go by, we should see one in about five years. Probably not as spectacular as in the movies – hacking in real life never is.

For critical infrastructure IT professionals from around the world, it is only a matter of time. In a survey by security firm McAfee of 600 IT specialists from 14 countries, more than half the respondents think we will witness large scale attacks within the next few years.

The internet of things
Robbert Kuppens, Chief Information Officer for Cisco Systems in Europe, the Middle East and Africa also thinks it could be on the cards. His company manufactures a large portion of the infrastructure that powers the internet so must remain one step ahead of the hackers. According to Kuppens new threats are constantly lurking in the dark corners of cyberspace; there is no room for complacency with more and more devices, such as smart electricity meters, connecting to the internet. The US Governmental Accountability Office (GAO) recently underlined this in a report on Electricity Grid Modernization, with the realistic headline ‘Progress Being Made on Cybersecurity Guidelines, but Key Challenges Remain to be Addressed.’

Shockingly slipshod
Kuppens: “We are currently heading for the internet of things, in which many devices that were until now offline will connect to the internet, either by cable or wireless. All these new devices are potential leaks for the networks they are connected to, so you should secure them all. Don’t think for a moment that a device will not be hacked because it does not look like a computer. Take mobile phones. Until recently a lot of people thought they could not be hacked, but now we know that is not true anymore.”

Kuppens says that a lot of companies and governments are very security conscious. But he also regularly encounters critical systems, both public and private, protected by shockingly slipshod security measures. “One of the biggest problems is that security is often just an afterthought. And that the people who make decisions about investments in hardware and software are sometimes ill-informed. Security costs money, while its benefits are often not immediately clear to the layman. And if there are security-conscious IT staff in an organisation, we find they lack strong support from management to invest in the necessary hardware and software.”

Security and security management nowadays ask for a holistic approach. It is no longer a responsibility of IT only, but of the organisation as a whole.

"No organisation in the world has the funds to completely seal off a system"

Next target: energy supply
So, where could a large scale attack take place? Kuppens thinks – and Hämmerli, Luijjf and Solange Ghernaouti–Hélie agree – the energy supply is a logical target. In Europe, the management of electricity is often centralised with one organisation controlling the whole electricity supply. Electricity grids are often managed online which increases the risk of a breach of security at the central level. In a worst case scenario, an attack could shut down the electricity in a whole country or even the whole of Europe.

Cyber incidents have already taken place in energy facilities. In 2009, at a hearing for the US Congress, it was stated by US national security officers that cyber spies had compromised the electrical grid of the United States and installed software programs that can disrupt the system when activated by a hacker.

In a testimony for a committee of the US House of Representatives, the US Governmental Accountability Office (GAO) cited four incidents concerning energy plants. Apart from Stuxnet in Iran, the GAO believes that in 2006 the failure of two circulation pumps at Browns Ferry, a US nuclear power plant in Alabama, was caused by cyber security breaches. In 2003 an alarm processor in FirstEnergy, an Ohio-based electric utility, failed, resulting in the cascading failure of 508 generating units at 265 power plants across eight US States and a Canadian province.

Earlier that same year a worm known as Slammer infected a private computer network at the Davis-Besse nuclear power plant in Oak Harbor, Ohio. It disabled a safety monitoring system for nearly five hours. In addition, the plant’s process computer failed, and it took about six hours for it to become available again.

James Lewis, cyber specialist at the American Center for Strategic & International Studies (CSIS) has been keeping a ‘significant cyber incidents’ list since 2006. According to this list, Norway’s National Security Agency (NSM) reported that in 2011 at least 10 major Norwegian defence and energy companies were hacked: “The attacks were specifically ‘tailored’ for each company, using an email phishing scheme. NSM said that the attacks came when the companies, mainly in the oil and gas sectors, have been involved in large-scale contract negotiations. The hacking occurred over the course of 2011, with hackers gaining access to confidential documents, industrial data, usernames and passwords.”

Holistic approach
So, how do we deal with these threats? The response from governments is a mixed bag, according to security specialist McAfee. Governments continue to play an ambiguous role in cyber security – sometimes helping the private sector, sometimes ignoring it. The US and the UK are taking the lead in developing cyber security strategies and have made cyber security a top priority in their national security programmes. The US has its Cyber Command, the UK its Government Communications Headquarters. GCHQ director Iain Lobban, reported in The Guardian, has no illusions about the scale of the threat: "Cyberspace is contested every day, every hour, every minute, every second," he said. "I can vouch for that from the displays in our own operations centre of minute-by-minute cyber-attempts to penetrate systems around the world."

The EU is slowly stitching together a holistic approach. In 2011, the European Commission published the Communication Achievements and Next Steps: towards Global Cyber-security. It focuses on the global dimension of the challenges and the importance of boosting cooperation among EU states and the private sector at national, European and international level. The EU is striving for more awareness and preparedness.

European member states are rapidly installing national CERTS (computer emergency response teams) while ENISA, the EU’s cyber security agency, issued a thick study on industrial control systems (ICS) security. Derived from a hundred key findings, the report proposes seven ‘urgent’ but ‘challenging’ recommendations for improving ICS security. The recommendations call for national and pan-European ICS security strategies, a Good Practice Guide on ICS security, research activities, spreading awareness, the establishment of a common test bed and ICS-computer emergency response capabilities. ENISA stresses the importance of active collaboration between public organizations and the private sector. Earlier this year ENISA saw its mandate extended after the successful coordination of the first pan-European cyber security exercise. This was, reported German think tank Bertelsmann, despite criticism for its location on Crete, making it hard to attract qualified IT staff.

New laws needed
Across the world, reports are written, tough words are spoken, action lists formulated. But stopping hackers interfering with our critical infrastructure seems not to be so easy. Existing regulation is not enough, the experts say. International laws and international or even global cooperation is the key, as these are often cross-border crimes with major jurisdiction issues. That’s if you can even identify where an attack comes from. There must be a new framework. “We need new laws. We should determine internationally what is and what is not punishable when it comes to the internet”, according to Cisco’s CIO Kuppens. “While politicians tend to look at their own back yard, the virtual world knows no borders. Something that is prosecutable in one country is allowed in the next. We should have treaties about what constitutes a cyber crime and how and by whom it should be punished. Perhaps we could establish a WTO-like organisation to battle cross border online crime.”

NATO rapporteur Jopling proposes just that: “On the global level, NATO should support initiatives to negotiate at least some international legal ground rules for the cyber domain. International law should clearly prohibit the use of cyber attacks against civilian infrastructures.” Jopling also called for NATO member states to hurry up when ratifying binding international treaties, like the Council of Europe’s Convention on Cyber crime, because banning cyber criminal activities would also help in dealing with cyber terrorists and state-sponsored cyber attacks that often use the same techniques as cyber criminals.

A role for the UN?
Professor Ghernaouti–Hélie sees a role for the UN. According to her, this is the only international organisation with sufficient clout to author an enforceable code of online conduct for states, companies and individuals. “We need to integrate security in every piece of technology that is coming on the market. Only an international organisation like the UN can force the market to do that. We need a UN charter for the internet that establishes what you can and cannot do online.”

Chances are slim however, that such a scenario will unfold. Although the UN is working on cyber security, through the UN General Assembly and through the International Telecommunications Union, there is as yet no UN Cyber Security Department. A spokesperson for the UN says there are to date no plans for a charter, new laws or a conference on the subject. International law specialists question the UN’s capacity on this subject because since the nineties, the conclusion of international treaties has taken a sharp decline. Most plausible is that bilateral treaties and regional, or if possible, global partnerships, might help generate some agreement on establishing cyber security. In the meantime nations, owners of critical infrastructure, and the rest of us, are left to fend for ourselves.

Where is the Hollywood superhero to keep us safe in cyberspace?

For this article, Volta used the sources listed below – and many more.They might be a reference point for your research.

Nato
NATO has an online library which provides a ‘few starting points to assist you with your research on issues related to cyberspace security, in particular, in the NATO context. See www.natolibguides.info/cybersecurity

Computer security
Fellow TA colleagues at ITAS / KIT are working on Compartmentalised Computer Security (CCompS), trying to isolate operating systems and applications differing sensitivity or risk from one another.

Text: Philip Dodge and Pascal Messer.

Illustration: Petit Comitè.

Share This

1 Comment for What can be hacked, will be hacked

maillot italie coupe du monde 2010

Many thanks for delivering this sort of a wonderful post, it was excellent and quite educational. as a very first time visitor to your blog I am really impressed. I located a lot of informative stuff in your article. Maintain it up. Thank you….

volTA magazine

volTA was a magazine on Science, Technology and Society in Europe, initiative of fifteen technology assessment organisations that worked together in the European PACITA project aimed at increasing the capacity and enhancing the institutional foundation for knowledge-based policy-making on issues involving science, technology and innovation. It was published between 2011 and 2015 in 8 numbers.